[Webkit-unassigned] [Bug 12658] New: CrashTracer: 3 crashes in Safari at com.apple.WebCore: WebCore::Element::setAttribute + 58

Tue Feb 6 23:31:01 PST 2007

http://bugs.webkit.org/show_bug.cgi?id=12658

           Summary: CrashTracer: 3 crashes in Safari at com.apple.WebCore:
                    WebCore::Element::setAttribute + 58
           Product: WebKit
           Version: 420+ (nightly)
          Platform: Macintosh
        OS/Version: Mac OS X 10.4
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P1
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: mjs at apple.com

2006-11-28 23:02:04 CrashTracer System:
PLEASE NOTE: This crash was automatically generated based on user crash
reports. Go here to learn how to deal with it:
http://howto.apple.com/db.cgi?CrashTracer

* APPLICATION: Safari
* CRASH: com.apple.WebCore:  WebCore::Element::setAttribute + 58
* MORE INFORMATION:
http://crashtracer.apple.com/detail.php?crash_id=5616952&app=Safari&build=9A288
(may not immediately have data)

This crash was escalated to Radar by the CrashTracer System because an internal
user explicitly requested it. The user provided the following comments:

Was browsing audible.com and tried to view a preview

Possible third-party binary images occurring in over 75% in processes that
crashed here:
    100.00% (2 of 2)  GLEngine ??? (???)       
/System/Library/Frameworks/OpenGL.framework/Resources/GLEngine.bundle/GLEngine
    100.00% (2 of 2)  GLRendererFloat ??? (???)
/System/Library/Frameworks/OpenGL.framework/Resources/GLRendererFloat.bundle/GLRendererFloat
    100.00% (2 of 2)  com.macromedia.Flash Player.plugin 8.0.27 (1.0.2f27)     
/Library/Internet Plug-Ins/Flash Player.plugin/Contents/MacOS/Flash Player

Summary of a selection of backtraces attributed to this bug. The stack frame
considered to be the unique "crash point" is highlighted ==> like this <==.
This frame is used for aggregation when filing these bugs and does not
necessarily imply fault.

        1  page zero:
    ==> 2  com.apple.WebCore:  WebCore::Element::setAttribute + 58 <==
             2  com.apple.WebCore:  WebCore::Element::setAttribute + 47
               2  com.apple.WebCore:  WebCore::HTMLImageElement::setHeight + 64
                 2  com.apple.WebCore:  KJS::ImageConstructorImp::construct +
287
                   2  com.apple.JavaScriptCore:  KJS::NewExprNode::evaluate +
540
                     2  com.apple.JavaScriptCore:  KJS::VarDeclNode::evaluate +
62
                       2  com.apple.JavaScriptCore: 
KJS::VarDeclListNode::evaluate + 47
                         2  com.apple.JavaScriptCore: 
KJS::VarStatementNode::execute + 130
                           2  com.apple.JavaScriptCore: 
KJS::SourceElementsNode::execute + 177
                             2  com.apple.JavaScriptCore: 
KJS::BlockNode::execute + 74
                               2  com.apple.JavaScriptCore: 
KJS::DeclaredFunctionImp::execute + 52
                                 2  com.apple.JavaScriptCore: 
KJS::FunctionImp::callAsFunction + 343
                                   2  com.apple.JavaScriptCore: 
KJS::JSObject::call + 135
                                     2  com.apple.JavaScriptCore: 
KJS::FunctionCallResolveNode::evaluate + 606
                                       2  com.apple.JavaScriptCore: 
KJS::ExprStatementNode::execute + 130
                                         2  com.apple.JavaScriptCore: 
KJS::SourceElementsNode::execute + 177
                                           2  com.apple.JavaScriptCore: 
KJS::BlockNode::execute + 74
                                             2  com.apple.JavaScriptCore: 
KJS::DeclaredFunctionImp::execute + 52
                                               2  com.apple.JavaScriptCore: 
KJS::FunctionImp::callAsFunction + 343
                                                 2  com.apple.JavaScriptCore: 
KJS::JSObject::call + 135
                                                   1  com.apple.WebCore: 
KJS::JSAbstractEventListener::handleEvent + 1107
                                                   +-1  com.apple.WebCore: 
WebCore::EventTargetNode::handleLocalEvents + 182
                                                   +---1  com.apple.WebCore: 
WebCore::EventTargetNode::dispatchGenericEvent + 978
                                                   +-----1  com.apple.WebCore: 
WebCore::EventTargetNode::dispatchEvent + 179
                                                   +-------1 
com.apple.WebCore:  WebCore::EventTargetNode::dispatchMouseEvent + 466
                                                   +---------1 
com.apple.WebCore:  WebCore::EventTargetNode::dispatchMouseEvent + 142
                                                   +-----------1 
com.apple.WebCore:  WebCore::FrameView::dispatchMouseEvent + 361
                                                   +-------------1 
com.apple.WebCore:  WebCore::FrameView::handleMouseReleaseEvent + 614
                                                   +---------------1 
com.apple.WebCore:  WebCore::FrameMac::mouseUp + 217
                                                   +-----------------1 
com.apple.WebKit:  -[WebHTMLView mouseUp:] + 210
                                                   +-------------------1 
com.apple.AppKit:  -[NSWindow sendEvent:] + 5516
                                                   +---------------------1 
com.apple.Safari:  -[Window sendEvent:]
                                                   +-----------------------1 
com.apple.AppKit:  -[NSApplication sendEvent:] + 2837
                                                   +-------------------------1 
com.apple.Safari:  -[BrowserApplication sendEvent:]

+---------------------------1  com.apple.AppKit:  -[NSApplication run] + 847

+-----------------------------1  com.apple.AppKit:  NSApplicationMain + 663

+-------------------------------1  com.apple.Safari:  __start

+---------------------------------1  com.apple.Safari:  start

+-----------------------------------1  page zero:  0x2

+-------------------------------------1  Main thread
                                                   pruning:  1 
com.apple.WebCore:  KJS::JSAbstractEventListener::handleEvent + 1202

Some of the most recent comments:
* 7044219: Clicking on NetFlix preview.

Overall this crash was reported 2 times in OS builds 9A270 to 9A288, Safari
versions 521.26.2 to 521.28.2. Of these crashes, 1 was in the latest OS build,
9A288, and 1 was in the latest Safari version, 521.28.2.

2006-12-07 14:35:20 Stephanie Lewis:
Looks like 4662801 but that was supposed to be fixed in Leopard 9A268 and these
were later.

2006-12-08 13:06:52 David Harrison:
Deferring crashtracers with fewer than 100 instances.

2007-01-05 13:16:20 Stephanie Lewis:
4910230 is a reproducible duplicate

* STEPS TO REPRODUCE
1. Go to the site:
http://diane.zaadz.com/blog/tags/macdougalls+pride

2007-01-08 13:50:37 Stephanie Lewis:
Safari BRB Reviewed

2007-01-15 13:50:47 Alice Liu:
Safari blocker reviewed

2007-01-15 13:51:16 John Sullivan:
Can still repro with tip of tree on Tiger.

2007-01-22 13:32:58 Beth Dakin:
I cannot reproduce with today's Tip of Tree on Tiger. John is pulling fresh
sources so that he can try again too. Moving to Verify.

2007-01-22 14:38:30 John Sullivan:
Unfortunately the crash still happens for me at the same spot with the very
latest sources on Tiger.

2007-01-22 14:49:33 John Sullivan:
My Tiger machine is a G5. I can also repro on Leopard 9A347 on my MacBook Pro.

2007-01-27 18:42:06 Beth Dakin:
I was able to get this to crash after a long, long time with Guard Malloc
enabled, but it crashed in a different place. Very mysterious. I think I am
going to have to reduce this one on a machine where it is more easily
reproducible.

<rdar://problem/4853984>

-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.